Skip to content

Latest commit

 

History

History
 
 

allow-list-applications

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
policy
policy
 
 
readme.md
readme.md
 
 

readme.md

A B2C IEF Custom Policy which allows specific apps to call the b2c policy (allow list of accepted clientIDs)

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-ad-b2c]. If you find a bug in the sample, please raise the issue on GitHub Issues. To provide product feedback, visit the Azure Active Directory B2C Feedback page.

Scenario

This policy checks to see if the client id in the OIDC request is on an "allowed list" of applications ID's. If yes, the flow allows users to attemp sign-in or sign-up, else, a block page will be returned with a customizable error message.

Key components of this B2C custom policy:

  1. User journey steps 1 and 2 checks if the calling application client id is allowed, and will block sign-in sign-up if not allowed.
  2. A block page that simply shows the "you cannot access this application" message to the user - the message can be customized.
  3. Use of a technical profile "checkIfAppIsAllowed" that collects the incoming client Id (using a claims resolver {OIDC:ClientId}), and calls a claims transformation type LookUpValue, and returns true or false if the client Id is on the allow list.

Implementation

To implement this use case follow the following steps;

  1. Ensure you have followed the "Get Started with custom policies" steps within the Microsoft documentation site.
  2. Change the references in the Policy from "yourtenant.onmicrosoft.com" to the name of your B2C Tenant.
  3. Update the ClaimsTransformation with Id="isAppAllowed" to reflect your list of allowed client id's. For more information about B2C claims transformations Microsoft Azure AD B2C Claims Transformation documentation.
  4. Upload and run your policy.

Notes

This sample policy is based on SocialAndLocalAccountsWithMFA starter pack However any of the starter pack policies should work for this. All changes are marked with Sample: comment inside the policy XML files. Make the necessary changes in the Sample action required sections.